MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7826cba41af49ea8bb9df841980036527414f9f693611136579460299d6e9f05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7826cba41af49ea8bb9df841980036527414f9f693611136579460299d6e9f05
SHA3-384 hash: 963b7087a75cf3e9d8a3273b25fb43c2c32ab8226ed2c349f358921944b96e8429db0b253461ca5706343ab39899a190
SHA1 hash: 78a357947daef5f92b1adc17c7e32a760ce5fc58
MD5 hash: 41e8f429d524ddf91c9166e5be06881a
humanhash: utah-india-robert-twenty
File name:DNE251074547 DNE2512163164Penavico Shenzhen Logistics Ltd.cmd.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'041'920 bytes
First seen:2026-02-19 14:19:47 UTC
Last seen:2026-03-06 15:11:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'915 x AgentTesla, 19'820 x Formbook, 12'309 x SnakeKeylogger)
ssdeep 24576:I/IAYxXA0qb58bQtWqjiE/039GAkGZWsDgqW5L/0cVwIiCrhA:I/IAd0qbqUnWE/039GAkdskqvarK
Threatray 42 similar samples on MalwareBazaar
TLSH T1F325120872A9E903C0E64F745731F239A7B01E8D6426D2078FD2BCDB787A7E558857CA
TrID 25.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
25.3% (.EXE) Win64 Executable (generic) (6522/11/2)
17.5% (.EXE) Win32 Executable (generic) (4504/4/1)
8.0% (.ICL) Windows Icons Library (generic) (2059/9)
7.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
150
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/f1b4888a-82df-470a-934c-06a9fb40c334/
Malware family:
n/a
ID:
1
File name:
DNE251074547 DNE2512163164Penavico Shenzhen Logistics Ltd.cmd.exe
Verdict:
Malicious activity
Analysis date:
2026-02-19 14:23:21 UTC
Tags:
auto-startup susp-lnk
Link:
https://app.any.run/tasks/4e8bcf46-5d77-4a0c-a1a8-067bc4ce56d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/53817/
Detection(s):
SecuriteInfo.com.Trojan.Inject6.27145.28251.25256.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69971c2a8fffa866e3af62ba
Tags:
autorun shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Launching a process
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7826cba41af49ea8bb9df841980036527414f9f693611136579460299d6e9f05
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan.MSIL.Inject.sb Trojan.MSIL.Agent.sb HEUR:Trojan.WinLNK.Powecod.e HEUR:Trojan.MSIL.Injector.gen HEUR:Trojan.MSIL.Crypt.gen Trojan.MSIL.Crypt.sb Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/7826cba41af49ea8bb9df841980036527414f9f693611136579460299d6e9f05/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d6e3d5a3-0d13-4c04-8fc9-e691913be876
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7826cba41af49ea8bb9df841980036527414f9f693611136579460299d6e9f05
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7826cba41af49ea8bb9df841980036527414f9f693611136579460299d6e9f05/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/7826cba41af49ea8bb9df841980036527414f9f693611136579460299d6e9f05
Threat name:
ByteCode-MSIL.Spyware.Phantomstealer
Create hunting rule
Status:
Malicious
First seen:
2026-02-19 11:47:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
24 of 38 (63.16%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=patmxja26spkro457bazqabwkj2bj6pwsnqrcnsxsrqcthlot4cq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
25230a687002161160427e213dcdd2a17ae50d9b3ba9679916e238b55b61a6d2
Formbook
28ff05bc204bf106c50e52a9435032a023eefefb71279a5d2c7625954897e6e1
Formbook
2e0055261615c13e5efadd2fb5137d62e24dd82cc0cc4a40e7f2ee759fdb85cb
Formbook
680c3a1fe5c2fe5a84ae9d575f1ef6f4a28dec59090a4018363e58635536e07a
Formbook
7826cba41af49ea8bb9df841980036527414f9f693611136579460299d6e9f05
Formbook
99e787914a65e928c023070c9a029cf58d4e405e4952bbb1142b1c8e53edfcc6
Formbook
b32d05c6d0606ae99980ac52e9acbae681e7c35936abca1aa7bbc66bc25bb0e5
Formbook
c9a7422e9bda1f8e36f23648857c16fe5332be73c474503b6502eccf4d5ed059
Formbook
error
Formbook
+ 32 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/260219-rnj53sb13a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Unpacked files
SH256 hash:
7826cba41af49ea8bb9df841980036527414f9f693611136579460299d6e9f05
MD5 hash:
41e8f429d524ddf91c9166e5be06881a
SHA1 hash:
78a357947daef5f92b1adc17c7e32a760ce5fc58
Link:
https://www.unpac.me/results/2f53cfe0-ddcf-4ae8-a18a-f6ff6d3a2043/
SH256 hash:
cda65bdb6f7404172c7cac67024bbdfc91929e8b7a9188d87b55ef3d4c574b9c
MD5 hash:
b285372752ad5a5c2ade116630f34a6b
SHA1 hash:
fafad9c462445305b1a88468b90c37ab7dbb91dc
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/2f53cfe0-ddcf-4ae8-a18a-f6ff6d3a2043/
SH256 hash:
24d589f63ad8dc889acdb4419497002169fe55bab57c198605906576cf488578
MD5 hash:
3601129bbb5063d92f33f6a9ae254c84
SHA1 hash:
09cde927f2958d9b68f34b00d952d4a9431fdef8
Link:
https://www.unpac.me/results/2f53cfe0-ddcf-4ae8-a18a-f6ff6d3a2043/
SH256 hash:
6e112b6878e03b3b789f5158a198f031c6cefa96198c772bfeebfc3a328a83de
MD5 hash:
e736dc07829e18a5fac13c4d6d2f45cd
SHA1 hash:
9f937356b042d431237e426c7809d90fa2b56469
Link:
https://www.unpac.me/results/2f53cfe0-ddcf-4ae8-a18a-f6ff6d3a2043/
SH256 hash:
cd0b63afe7bf45aa2e5973eb9600b2c2ccbb996f1d41844dcce744c18ae6fe18
MD5 hash:
9a31b824b99926efb6b38cba397e26b2
SHA1 hash:
ac63241525b45fd75effff5797f6a07878f5b3f1
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2f53cfe0-ddcf-4ae8-a18a-f6ff6d3a2043/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7826cba41af4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7826cba41af49ea8bb9df841980036527414f9f693611136579460299d6e9f05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/53817/

Comments